Changing your passwords won’t stop hackers, Carleton study says

Routinely changing your Internet passwords will not stop cyber attackers from invading your accounts, according to a recent study done by two Carleton professors.

Carleton computer science professors Paul van Oorschot and Sonia Chiasson did a mathematical and theoretical study on the security of password expiration.

Password expiration is a cybersecurity function in which systems force users to change their passwords on a routine basis—usually every 30 days or few months.

Van Oorschot and Chiasson said they wanted to explore whether there was a sound reason why this function is necessary for Internet users in today’s age.

“Everyone has experienced problems with passwords,” Chiasson said in an email. “They’re hard to remember, there’s too many of them, they have crazy composition rules, and even if you manage all of that, many systems make passwords ‘expire’ so you change your passwords at regular intervals.”

They found that password expiration policies only barely protect against password attacks—when an attacker tries to guess a user’s password through random submissions.

“However, if an attacker gets access to the password in another way . . .then they have immediate access to the account,” Chiasson said. “In those cases, they will take measures to make sure that a password change doesn’t actually matter.”

Chiasson compared changing passwords regularly to changing locks on a person’s house just in case someone might have made a copy of the key.

“It seems absurd in real life, and yet we force users to do it for passwords,” she said.

She cited other cyberattack technique,s such as computer phishing or installing malware, as other ways hackers could obtain critical data without having to guess passwords.

“There are certainly times when password changes should occur,” Chiasson said. “If a user suspects that their password might have been stolen, or if it was shared, then yes, they should change their password because there’s a reason to suspect that there might be a problem.”

But Chiasson said changing passwords on a regular basis will result in “probably doing more harm than good” as users will resort making weaker passwords to cope with the rule.

“Basically, a determined attacker is able to get around the effects of password changes. The biggest negative consequences of password changes are felt by the users, not the attackers,” she said.

According to an email from van Oorschot, this study was “long overdue,” as many organizations use password expiration as a primary password security measure for users in their systems.

He said password expiration might be a practice that was relevant in computer usage years ago, but it was time to ask if the method was still relevant today.

“Administrators who insist on maintaining password expiration policies should also be asked why they do not use other defences instead which do not inconvenience users and would appear to offer better protection,” van Oorschot said.